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Abstract. We answer KIop and de Vrijer's question whether adding surjective-pairirig 
axioms to the extensional lambda calculus yields a conservative extension. The answer 
is positive. As a byproduct we obtain a "syntactic" proof that the extensional lambda 
calculus with surjective pairing is consistent. 



1. Introduction 

The theory A^^gp is obtained from the untyped extensional lambda calculus A^^ |2] by 
adding three surjective-pairing axioms: 

(vri) TTi{M,N) = M 
(vrs) TT2{M,N) = N 
(SP) (7riM,7r2M) = M 

These axioms are said to define a surjective pairing since the axiom (sp) implies that every 
term is equal to a pair. 

A A-term is called pure if it does not contain any of the new constructs vTj and (•,•). In 
this article we give a positive answer to the following question, asked by Klop and de Vrijer 
in 1989 jlUl I23j and featured as Problem 5 in the original RTA list of open problems [5]: 
Suppose that M and A'' are pure A-terms. Does M =f3rjSP ^ imply that 

In other words, we show that the theory A/j^sP is a conservative extension of the theory 
Xpn- As a byproduct we obtain a proof of consistency of A/j^sP that uses purely syntactic 
methods.^ 



2000 ACM Subject Classification: F.4.1. 

Key words and phrases: Lambda calculus, surjective pairing, extensionality. 

-'^The author only knows of one other such "syntactic" consistency proof for A^,,sp, namely one based on 
recent work on operationally defined bisimulations |12|. 
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1.1. Background of the problem. The two perhaps most obvious attempts at showmg 
conservativity of A^^sp f&il because of two negative results: no surjective-pairing function 
(that is, no pairing function satisfying the three axioms above) is definable in the lambda cal- 
culus 1 , and the standard reduction relation for the lambda calculus with surjective pairing 
is not confluent [S]. Both results were shown for the extensional lambda calculus as well. 

Klop and Klop and de Vrijer ^0] have considered a number of properties of the 
(non-extensional) lambda calculus with surjective pairing, A^sP) which would have trivially 
followed from confluence of the standard reduction relation. In particular, de Vrijer has 
shown that A^sp is a conservative extension of the lambda calculus This result mo- 
tivated the question answered here: whether surjective pairing also conservatively extends 
the extensional lambda calculus. 

The proof of conservativity by de Vrijer is furthermore the first known "syntactic" 
consistency proof for A/jsp. One of Scott's model-theoretic consistency proofs for A/3^ PU] 
can be easily adapted to show consistency of XpnSP (and hence also A/3Sp) as well. 

The theory A^^gp has also been investigated from a categorical point of view. If C is a 
cartesian closed category with an object U such that 

then there are various ways of interpreting A-terms as morphisms of C [21 Moreover, 
every extension of the theory A/j^^sP is the theory of a model arising in this way |1H I21j. 

1.2. Formalization. The author has formalized and verified the proof of the conservativity 
result using the Twelf system JHl- The formalized proof additionally serves as an imple- 
mentation of a procedure transforming a formal derivation of M =/3,)SP ^ into a formal 
derivation of M =p,^ N (for pure terms M and N). It is available from 

http : //purl . oclc . org/net/kss/eta-SP 

The formalized statement of the main result is presented in Appendix El 

2. Background and notation 

The reader is assumed to be familiar with basic properties of the untyped lambda 
calculus, as presented for example in the first three chapters of Barendregt's book 12]. 
The syntax of A-terms is extended with constructs for pairing and projection: 

M ::= x\ Xx.M \ M M \ {M, M) \ tti M \ tt2 M 

(where x ranges over an infinite set of variables) . The pure terms are the usual A-terms, i.e., 
terms with no occurrences of vTj or (•,■). The set of free variables of a term M is denoted 
FV(M). We follow practice and identify a-equivalent terms. 

We use the following notation and definitions for relations on A-terms: For any binary 
relation >7^ on A-terms, — >tz denotes the compatible closure of as defined in Figure ^ 
The relation — is called a reduction relation. The reflexive-transitive closure of — >ti 
is written — and the reflexive-transitive-symmetric closure of — >'ji is written =7^. We 
write At^ for the equational theory of A-terms corresponding to =7^, i.e., At^ is the set of 
formal equations "M = iV" such that M =ti N. 

The relation t> f^^^P is defined by the axioms in Figure [21 This relation generates a 
reduction relation — >pnSP and an equality relation =pnSP- The extensional lambda calculus 
with surjective pairing is defined as the theory A/j^sP- 
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1: The compatible closure of l>7^. 
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2: The relation 


[>/3?7SP- 



3. Overview of the proof 

The relation — ^-/Jt^sp is the standard reduction relation generating =/3r)SP- This re- 
duction relation is, however, not confluent [Sj [HI p. 216]; its confluence would immediately 
imply the main result, namely that A^^gp is conservative over A^^.^ 

In this article we instead consider a further extension App of A^^gp and show that App 
is conservative over X^n- Since App is an extension of A^^^gp, the main result follows. The 
proof is structured in the following way: 

• In Section 0] we present the extension App of A^^gp ^-iid show that it is generated 
by a confluent reduction relation — >pp. In the relation — >fp the orientation of 
the axioms (r/) and (SP) is reversed; in other words, the extensionality axioms are 
oriented as expansion axioms (see, e.g., the work by Jay and Ghani [S]). 

• In Section [3 we show that App is conservative over on pure A-terms. This result 
does not immediately follow from confluence of — >pp since — >pp contains (sp) 
oriented as an expansion axiom. 

^The non-confluent reduction relation considered by Klop f51 is slightly different from — >/3,,sp- It is 
simple to construct a counter-example to confluence similar to Klop's. 
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4. An extension of the theory A^^sp 

We first present the extension App of A^^spj the name fp is intended to be a mnemonic 
for "functional pairing". The relation [>fp is defined by the axioms in Figure |21 This 
relation generates the theory Afp and the reduction relation — >pp. For convenience, we 
refer to the axioms (^vr), (vriA), and (7r2A) as the commutation axioms; intuitively, these 
axioms express how a function behaves as a pair and vice versa. As discussed above, the 
axioms (77) and (sp) are oriented as expansion axioms. 

The theory Afp it not new, although is does not appear to have been explicitly named 
before. Axioms similar to the commutation axioms {6tt), (ttiA), and (7r2A) were first con- 
sidered in work on products and lists in the lambda calculus ^Hl and in work on categorical 
combinators jl9j : adding the surjective-pairing axiom (sp) to Revesz's theory Ap gives the 
theory App, except for a minor syntactic difference. Durfee gave a model for the full theory 
App |Z| (see the remark below). Axioms equivalent to the commutation axioms play an 
indirect, but important, role in recent work on solvability for A-terms with pairs |12j . 

The reduction relation — >fp (with its combination of commutation axioms and ex- 
pansion axioms) appears to be new. 
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Figure 3: The relation 1>fp- 



Remark. In this article, the theory App and the associated reduction relation — >fp are 
used to prove a specific result about a different theory. However, App and — s-pp can be 
justified semantically and syntactically: 

• From the point of view of semantics: The original model of A/j^^sp |1H I2()j is also 
a model of App [Zj. Indeed, let U and V be complete partial orders such that 
V = V ^ V and U = Then by calculations valid in any cartesian closed 

category [20], C/ = [/x[/ = [?7— >■[/], and one can verify that the standard 
interpretation^ of A-terms as elements of U gives rise to a model of App. 

As an aside, if U is an arbitrary complete partial order satisfying that U = 
U X U = [U ^ U], then the standard interpretation using these isomorphisms 
makes U a model of (at least) A^^sp- Taking U = V in the above construction now 
gives an alternative pair of isomorphisms, and hence an alternative interpretation 
of A-terms, resulting in a model of App. 



'See also Exercise 18.4.19 in Barendregt's book [5]. 
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• From the point of view of term rewriting: In the simply-typed lambda calculus, 
term constructs can be proof-theoretically classified as either introduction forms 
{Xx.M and (M, A'^)) or elimination forms {M N and vTj M), using the Curry-Howard 
isomorphism pi. The simply- typed counterparts of the axioms (tti), and {112) 
of Figure|31then imply that, when constructing a term bottom-up, "an introduction 
form followed by an elimination form is a redex." This property is preserved in the 
untyped reduction relation — s-pp by virtue of the commutation axioms {6tt), (^i^^) 
and (7r2A). 

In the rest of this section we prove that — >fp is confluent. For that purpose we de- 
scribe — >FP as the union of two relations: a part — >-e generated from the ry/sP-expansion 
axioms (r/) and (sp), and an "extensionality-free" part — >r generated from all the remain- 
ing axioms. 

• In Section [4. II we show that the extensionality-free part — >r is confluent. 

• In Section we review the well-known fact that ry/sp-expansion — >e is confluent, 
and then show that — >e commutes with — >r,: if A^i < — ^ M — N2, then there 
is a P such that Ni — P < — ^ N2. 

We conclude by the Hindley-Rosen Lemma [2J p. 64] that the union — >fp = — >rU — >e is 
confluent. Earlier, van Oostrom used a similar approach to prove confluence of jy-expansion 
(together with /3-reduction) in the pure lambda calculus |14j . 

From a technical point of view, the proof that — >e commutes with — >pj, is the novel 
part of the confluence proof: the commutation proof highlights the role of the axioms (dvr) , 
(vTiA), and (7r2A). 

4.1. Confluence of an extensionality-free subrelation. The relation Or is defined by 
all the axioms of Ofp except (rj) and (sp); for convenience the remaining axioms are shown 
in Figure The relation Or generates the reduction relation — >r. 
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Figure 4: The relation Or. 



We now aim to prove that — >r is confluent. In fact, this follows from general higher- 
order rewriting theory, since — >r can be formulated as an orthogonal pattern higher-order 
rewriting system jl3l I17j . and such systems are confluent However, in order to keep 
the presentation self-contained, we give a direct confluence proof. This direct proof, which 
follows the method of the Tait/Martin-Lof proof of confluence of /3-reduction 2, p. 60], can 
be viewed as a specialized version of Nipkow's confluence proof jl3j . 
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First, define a parallel [2] reduction relation ^=^r, shown in Figure El^ 



M M' N N' 
(Xx.M) N ^R M'[x := N'] 

M ^R M' N ^R N' 



vri (M, N) ^R M' 7T2 {M, N) ^r N' 

M^^M' N ^R N' P ^R 
(M, N) P ^R (M' P', N' P') 

M ^R M' M ^R M' 



TTi (Ax.M) ^R Ax.vTi M' vTa (Ax.M) ^r Ax.vra M' 

M ^R M' 

M^rM 

M^rM' AT^rAT' M^rM' AT^j^iV' 



M N ^R M' TV' (M, iV) ^R (M', A^') 

M ^R M' M ^R M' 



TTi M =^>R VTi M' TT2 M ^>R 7r2 M' 

Figure 5: Parallel R-reduction ^=^^r. 



Proposition 4.1. 

(^) = ^R- 

(ii) If M ^R M' and N ^r A^', then M[x := N] ^r M'[x := N']. 
(Hi) If M — M' and N — N' , then M[x := N] — >^ M'[x := N']. 

Proof. Standard p. 60]. Part (iii) follows from the first two parts and will be used in the 
next section. □ 

Proposition 4.2. The relation ^^r satisfies the diamond property: if M ^=^r A^i and 
M ^=^R A'^2, then there is a P such that Ni ^=^r P and N2 ==^r P- 

Proof. By induction on the derivations of M ^=^r A'^i and M ^^r A'^2 according to the rules 
in Figure El Many of the cases are well-known from the proof of confluence of /3-reduction. 
There are no interesting new cases (which is another way of saying that — >r can naturally 
be defined as an orthogonal higher-order term rewriting system). □ 

^The notion that ^=>r, is the paraUel reduction relation generated from the axioms of C>r can be made 
precise 13 Section 4]. 



EXTENSIONAL LAMBDA CALCULUS WITH SURJECTIVE PAIRING 



7 



Corollary 4.3. The relation — >r is confluent. 

4.2. The relation — >r commutes with j^/sp-expansion. We define the relation >e 
by the axioms (rj) and (sp), for convenience shown in Figure El This relation generates the 
r//SP-expansion relation — >e- 



(?]) M >E Xx.Mx (ifx^FV(M)) 

(SP) M >E {-KiM,TT2M) 



Figure 6: The relation [>e- 



The purpose of this section is to show that — >e commutes with — >r, that is, if 
Ni < — ^ M — N2, then there is a P such that A^i — >^ P < — ^ N2. Before proceeding 
with the proof of commutation, we consider some of the critical pairs |13j between — >e 
and — >R. The first two cases are well-known: 

(1) {Xx.{Xx.M) x) N < — jj (Xx.M) N — >^ M[x := N]. 
Solution: (Ax.(Ax.M) x) N — >^ (Xx.M) N — >^ M[x := N]. 

(2) TTi (vri (Mi,M2),7r2 (Mi,M2)) vr^ (Mi,M2) M^. 
Solution: tt, {tti (Mi,M2),7r2 (Mi,M2)) -^^^ TTi (Mi,M2) Mi. 

On the other hand, to resolve the next two kinds of critical pairs, one needs the commutation 
axioms (Stt), (vtiA), and (7r2A): 

(3) TTl {Xx.{Ml,M2)x) TTi (Mi,M2) Mi. 

Solution: 

TTi (Ax.(Mi,M2)x) — >s^ 7ri{Xx.{Mix,M2x)) 

^^^A Xx.TTi {Ml X, M2 X) 

— >T,^ Xx.Mi X 

^rj Mi. 

(4) (vri {Xx.M), 7^2 {Xx.M)) N < — gp {Xx.M) N — >p M[x := N]. 
Solution: 

(7ri(Ax.M),7r2(Ax.M))iV ^;,a,.,a {Xx.tt^ M, Xx.7r2 M) N 

>Sn ' {{Xx.TTi M) N, {XX.TT2 M) N) 

—^l (vri {M[x := iV]), 7r2 {M[x := N])) 

M[x := N]. 

These are all the kinds of critical pairs between — >e and — >r in which the R-step uses 
one of the axioms (/3), (tti), or {1^2) ■ The cases where the R-step is one of the remaining 
axioms can be resolved similarly to the simple cases 1 and 2. 

We now turn to the actual proof of commutation. Define a parallel ry/SP-expansion 
relation =>e IHlIllI by the rules in Figure [Tj 

First, some simple facts about parallel ry/sp-expansion: 

Proposition 4.4. 

(^) -^*E = ^E- 

(a) — >E is confluent. 



8 



K. ST0VRING 



(x ^ FV(M)) 



M 

^ M ^^^^ 

M^E^f' Af^E^^' M^eM' N^eN' 



M N ^E M' N' (M, Af) ^E (M', N') 

M ^E M' M ^E M' 



TTi M ^>E TTi M' 7r2 M ^>E 1^2 M' 

Figure 7: Parallel T^/sp-expansion ^=^e- 



(Hi) If M ^E M' and N ^e A^', then M[x := N] ^e M'[x := N']. 
Proof. Standard [H]. The confluence of — >e follows from the diamond property of ^=^e- CH 

We now aim to prove that if A'^i ■^=e M — >r then there exists a P such that 
A'^i — P ■^=E Consider for example the case 

N Q ^E (Ax.M) Q -^,3 M[x := Q] 

where ■^=e Ax.M. Then N results from Ax.M by a number of ry/sp-expansions, and in 
order to show commutation we intuitively need to iterate cases 1 and 4 of the critical pair 
calculations shown in the beginning of this section. Similar examples exist for the other 
axioms of — ^r. The properties which are needed are shown in the following two lemmas: 

Lemma 4.5. // Ax.M =^e N, then 
(i) there is a P such that N x — P <^^e M, and 

(a) there is a Q such that for i € {1, 2}.' vTj N — >^ Ax.vTj Q and M =^e Q- 

Proof. By induction on the definition of Ax.M ^=^e N . □ 

Lemma 4.6. // (Mi,M2) ^e N, then 
(i) for i € {1, 2} there is a Pi such that TTi N — Pi ■^=e Mi, and 

(a) there are Qi, Q2 such that N x — {Qi x, Q2 x) and Mi =^>e Qi o,nd M2 =^e Q2- 

Proof. By induction on the definition of (Mi,M2) =^e CH 

We now prove the main lemma needed in the commutation proof: 

Lemma 4.7. // N ^e M — M' , then there is a P such that N — >^ P ^e M'. 

Proof. Induction on the definition of M ^=^e N , using Lemmas 14.51 and 14.61 We show some 
illustrative cases. 
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Case 1: (vri N',tt2N') M — >r M' where N' M. By the induction hypothesis 

there is a P' such that N' — >^ P' ^e M'. Then 

(^1 N', vra N') (vn P', tt2 P') ^e M' 

so choose P = (vTi P', 7r2 P'). 
Case 2: iVi iV2 ^E {\x.Mi)M2 — >k Mi[x := M2] where A^i ^e Xx.Mi and where 
N2 ^E M2. By Lemma Enti) there is a P' such that iVi x — P' ^e ^i- It 
is easy to see from the definition of ^=^e that x is not free in A^i. Therefore, by 
Propositions EU and 1331 iVi iV2 — >k P'[x := N2] ^e Mi[x := M2], so choose 
P = P'[x := N2]. □ 

Lemma 4.8. 

(i) If N ^E M — M', then there is a P such that N — >^ P <=e M' . 
(ii) If N M — M', then there is a P such that N — >^ P M' . 

Proof. 

(i) By induction on the length of the reduction sequence M — >^ M' , using Lemma 14.71 

(ii) By induction on the length of the reduction sequence M N, using Part (i). □ 

Now, by Proposition I4.4f i'). — ^e ~ ^^E- Therefore Lemma l4.8f ii) implies that the 
relations — >e and — s-r commute: 

Proposition 4.9. // N < — ^ M — M' , then there is a P such that N — >^ P < — ^ M' . 

4.3. Confluence of — ^fp- We now use the results of Sections 14.11 and 14.21 to prove the 
main result of Section 0] 

Proposition 4.10. The relation — >fp is confluent. 

Proof. Proposition 14.31 states that — s-r is confluent, Proposition I4.4r ii) states that — >e 
is confluent, and Proposition 14.91 states that — s-r commutes with — >e- By the Hindley- 
Rosen Lemma ^2^. p. 64], the relation — >fp = — >R U — >e is confluent. □ 

Corollary 4.11 (Church-Rosser property). // M =fp N , then there is a P such that 
M — P and N — >*p P. 

Proof. Follows from confluence of — >fp pi P- 54]. □ 
Remarks. 

(i) Orienting the axioms (sp) and (jf) of — >fp as contraction axioms does not give rise 
to a confluent reduction relation: with these axioms we would have the reductions 
Xx.x < — FP (vTi (Ax.x), 7r2 (Ax.x)) — >pp (Ax.TTi X, Ax.7r2 x), but the two terms Xx.x 
and (Ax.vTi x, Ax.7r2 x) would be normal forms. 

(ii) The commutation axioms of Afp depend on the fact that the calculus is untyped, such 
that, intuitively, every function is also a pair and vice versa. A different line of work 
concerns reduction relations in typed calculi, with product and unit types, containing 
(sp) oriented as a contraction axiom 

5. Main result 

We are now almost in a position to prove the main result: Suppose M and N are pure 
A-terms such that M =pr)SY' ^ ■ Then M =fp -/V, and by the Church-Rosser property 
fCorollarv I4.11|) there is a P such that M — >pp P and — >pp P. However, since — >fp 
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contains SP- expansion, we cannot immediately conclude that P is a pure A-term with 
M P and N P. 

Definition 5.1. The n-erasure of a A-term M is the pure A-term \M\ defined inductively 
as follows: 

= X 
\MN\ = \M\\N\ 
\Xx.M\ = Xx.\M\ 
|(M,A^)| = |M| 
|7riM| = |M| 
\tt2M\ = \M\ 

We could just as well have defined |(M, A^)| as |A^|, since we are only interested in |P| 
when P is tt- symmetric: 

Definition 5.2. A A-term M is TT-symmetric if for every subterm of M of the form (P, Q), 
the vr-erasures of P and Q are /Jry-equivalent: |P| \Q\. 

In particular, every pure A-term is vr-symmetric. 

Proposition 5.3. 

(i) \M[x := iV]| = \M\[x := \N\] 

(a) If M and N are tt -symmetric, then M[x := A^] is t: -symmetric. 

Proof. By induction on Af. □ 

Proposition 5.4. // M is n-symmetric and M — >fp -Aj then 
(i) \M\ =f3n \N\, and 
(a) N is TT-symmetric. 

Proof. By induction on the definition of M — >fp A^, using Proposition 15.31 □ 

Now we are ready to prove that Afp is a conservative extension of A^^: 

Theorem 5.5. Let M, N be pure X-terms. If M =fp A^, then M N . 

Proof. Suppose M and A^ are pure A-terms such that M =fp A^- By the Church-Rosser 
property fCorollarv l4.11|) there is a P such that M — >pp P and A^ — >pp P. Since M and 
A^ are pure, they are in particular vr-symmetric; it follows from Proposition 15.41 that P is 
TT-symmetric and that \M\ |P| |A^|. Hence M = \M\ |A^| = A^. □ 

Corollary 5.6. The theory Afp is consistent. 

Proof. By Theorem 15.51 and consistency of Xp^ 2, p. 67]. □ 

Finally we turn to the main result of this article: 
Theorem 5.7. Let M,N be pure X-terms. If M =/3^sP ^, then M =pr^ N. 
Proof. By Theorem 15.51 and the fact that Afp is an extension of A/3^sP- D 
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We have also obtained a new — syntactic — proof of consistency of Xpr/SP- 
Corollary 5.8. The theory A^^sp consistent. 

Remark. The question of conservativity was originally formulated in a slightly different 
setting ^Uj: let D, Di and D2 be three new constants, and add the following axioms to the 
pure A^^-calculus: 

Di{DMN) =fi^D M 

D2{DMN) =fir,D N 

D{DiM){D2M) =p^D M 
To see that the resulting theory A^^£) is conservative over A^^, one can simulate Xpr^D in 
XpnSP by defining D as Xx.Xy.{x,y), Di as Xx.ttix, and D2 as Xx.tt2X. 

6. Related problems 

The conservativity proof presented here can be adapted to the non-extensional case 
settled by de Vrijer [SHI, i-e., a minor modification gives an alternative proof that A/3SP is 
conservative over the lambda calculus A/3. To this end, one should simply remove the axiom 
{rj) from every definition and proof. The electronic, formalized version of the proof allows 
for a straightforward verification that the modification is correct. 

Another related problem posed by Klop and de Vrijer is still open: whether the reduc- 
tion relation — ^/s-qSP has the unique normal-form property jTOj. The theory App does not 
seem useful in solving that problem. 

Meyer asked whether any lambda theory can be conservatively extended with surjective 
pairing [£]. That problem also remains open. 
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Appendix A. Formalized statement of the main result 

Below is the formalized statement of the conservativity theorem. The full formal proof 
consists of 2670 lines of Twelf code. It was developed using version 1.5R1 of the Twelf 
system.^ The encoding technique is based on a formal proof of the Church-Rosser theorem 
for /3-reduction that is distributed along with earlier versions of the Twelf system {I5_j . 

°/°/°L Terms of the untyped Icunbda calculus with surjective pairing. 

term : type . 

@ : term -> term -> term, "/.infix left 10 0. 

Icun : (term -> term) -> term. 

pi : term -> term. 

p2 : term -> term. 

pair : term -> term -> term. 

"/(freeze term. 



^The Twelf system can be obtained from http://www.cs.cmu.edu/~twelf/ 



EXTENSIONAL LAMBDA CALCULUS WITH SURJECTIVE PAIRING 



°/o°/o°/o Lcimbda calculus with the extensionality rules eta and SP. 

==SP : term -> term -> type, "/oinfix none 5 ==SP. 

sp_beta : (lam F) @ M ==SP F N. 

sp_eta : lam ( [x] MS x) ==SP M. 

sp_projl : pi (pair M N) ==SP M. 

sp_proj2 : p2 (pair M N) ==SP N. 

sp_SP : pair (pi M) (p2 M) ==SP M. 

y. Congruence rules. 

sp_refl : M ==SP M. 

sp_sym : M ==SP N -> N ==SP M. 

sp_trans : M ==SP N -> N ==SP P -> M ==SP P. 

sp_c-app : M @ N ==SP M' N' 

<- M ==SP M' 
<- N ==SP N' . 

sp_c-lcim : lam F ==SP lam F' 

<- ({x} F X ==SP F' x) . 

sp_c-pl : pi M ==SP pi M' 
<- M ==SP M' . 

sp_c-p2 : p2 M ==SP p2 M' 
<- M ==SP M' . 

sp_c-pair : pair M N ==SP pair M' N' 
<- M ==SP M' 
<- N ==SP M' . 

"/.freeze ==SP. 

7.7.7. Pure lambda-terms, i.e., no "pair", "pi", or "p2". 
pterm : type. 

~ : pterm -> pterm -> pterm. 7.infix left 10 
lambda : (pterm -> pterm) -> pterm. 

7.freeze pterm. 

7.7.7. Beta-eta equality on pure terms. 

==be : pterm -> pterm -> type. 7oinfix none 5 ==be. 

be_beta : (lambda F) " N ==be F N. 

be_eta : lambda ([x] M ~ x) ==be M. 

7. Congruence rules. 

be_refl : M ==be M. 

be_sym : M ==be N -> N ==be M. 
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be_trans : M ==be N -> N ==be P -> M ==be P. 

be_c-app : M " M ==be M' " N' 

<- M ==be M' 
<- N ==be N' . 

be_c-leim : lambda F ==be Icimbda F' 
<- ({x} F X ==be F' x) . 

7,f reeze ==be . 

°L°L°L Injecting pure terms into the general terms. 

inject : pterm -> term -> type. 
%mode inject +P -T. 

inj_app : inject (PI ~ P2) (Ml M2) 
<- inject PI Ml 
<- inject P2 M2 . 

inj_lani : inject (lambda P) (leim M) 

<- ({x> {y} inject x y -> inject (P x) (M y)). 

"/.freeze inject. 

"/.block inj : block {x : pterm} {y : term} {thm : inject x y}. 

"/.worlds (inj) (inject _ _) . 
"/.total P (inject P _) . 

"/."/."/. The main theorem: ==SP is conservative over ==be. 

conservative : inject MM' -> inject N N' 

-> M' ==SP N' 
-> M ==be N 
-> type. 

"/anode conservative +11 +12 +E1 -E2. 

"/. [The proof is omitted.] 

"/.worlds (conservative ____). 
"/.total II (conservative II _ _ _) . 

"/. With empty "worlds", the main theorem is actually only shown 
"/. for closed terms. (The generalization to open terms is more 
"/. complicated to express, but it follows easily by 
"/. lambda- abstracting every free variable.) 
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